Source: cve@mitre.org
A door-unlocking issue was discovered on Software House iStar Ultra devices through 6.5.2.20569 when used in conjunction with the IP-ACM Ethernet Door Module. The communications between the IP-ACM and the iStar Ultra is encrypted using a fixed AES key and IV. Each message is encrypted in CBC mode and restarts with the fixed IV, leading to replay attacks of entire messages. There is no authentication of messages beyond the use of the fixed AES key, so message forgery is also possible.
Software House iStar Ultra devices are vulnerable to a critical security flaw allowing unauthorized door access. The vulnerability stems from the use of a fixed AES key and IV for encrypting communications between the iStar Ultra and IP-ACM Ethernet Door Module, enabling replay attacks and message forgery, potentially granting attackers physical access to secured areas.
Step 1: Reconnaissance: Identify target iStar Ultra devices and IP-ACM Ethernet Door Modules within the network.
Step 2: Packet Capture: Capture network traffic between the iStar Ultra and IP-ACM modules. This can be achieved using tools like Wireshark or tcpdump.
Step 3: Traffic Analysis: Analyze the captured traffic to identify encrypted messages, including door unlock commands.
Step 4: Replay Attack: Extract an encrypted door unlock message. Replay this message to the IP-ACM module. The module, using the fixed key and IV, will decrypt the message and execute the unlock command.
Step 5: Message Forgery (Optional): If the attacker knows the key and IV (which is the case here), they can craft new encrypted messages to perform other actions, such as adding or removing users, or changing access control settings.
The vulnerability arises from a flawed implementation of encryption. The iStar Ultra and IP-ACM utilize AES encryption in CBC mode. The critical flaw lies in the use of a fixed AES key and Initialization Vector (IV). This means the encryption process is predictable. Because the IV is static, each encrypted message starts with the same initial state. This allows an attacker to capture encrypted messages (e.g., door unlock commands), and replay them later to unlock doors. Furthermore, since there is no message authentication, an attacker can forge new messages using the known key and IV, crafting arbitrary commands, such as unlocking doors or modifying access control lists. The lack of proper authentication and the use of a fixed key effectively bypasses the intended security measures.
While no specific APT groups are directly linked to this CVE, the nature of the vulnerability (physical access control) makes it attractive to various threat actors. This type of vulnerability is often exploited by actors seeking to gain physical access to facilities. The vulnerability is not listed on the CISA KEV catalog, but it should be considered a high-risk vulnerability due to its potential impact.
Monitor network traffic between iStar Ultra and IP-ACM modules for unusual patterns, such as repeated encrypted messages or messages originating from unexpected sources.
Analyze network traffic for the use of the fixed AES key and IV. This can be done by decrypting traffic using the known key and IV and looking for patterns.
Review logs from the iStar Ultra and IP-ACM modules for unauthorized access attempts or changes to access control settings.
Implement intrusion detection systems (IDS) with rules that specifically target the replay of encrypted messages or the use of the fixed key and IV.
Monitor for changes in physical access logs that do not align with authorized user activity.
Upgrade iStar Ultra devices and IP-ACM modules to a version that addresses the vulnerability. This likely involves a firmware update that implements proper encryption and authentication.
Implement strong encryption with unique keys and IVs for each communication session.
Implement message authentication using HMAC or other methods to prevent message forgery.
Segment the network to isolate the iStar Ultra and IP-ACM modules from other sensitive systems.
Regularly audit access control settings and user permissions.
Implement multi-factor authentication for all access control systems.